Browsing by Author "Watters P"

Now showing 1 - 6 of 6
  • Thumbnail Image
    Item
    From COBIT to ISO 42001: Evaluating cybersecurity frameworks for opportunities, risks, and regulatory compliance in commercializing large language models
    (Elsevier B.V., 2024-09-01) McIntosh TR; Susnjak T; Liu T; Watters P; Xu D; Liu D; Nowrozy R; Halgamuge MN
    This study investigated the integration readiness of four predominant cybersecurity Governance, Risk and Compliance (GRC) frameworks – NIST CSF 2.0, COBIT 2019, ISO 27001:2022, and the latest ISO 42001:2023 – for the opportunities, risks, and regulatory compliance when adopting Large Language Models (LLMs), using qualitative content analysis and expert validation. Our analysis, with both LLMs and human experts in the loop, uncovered potential for LLM integration together with inadequacies in LLM risk oversight of those frameworks. Comparative gap analysis has highlighted that the new ISO 42001:2023, specifically designed for Artificial Intelligence (AI) management systems, provided most comprehensive facilitation for LLM opportunities, whereas COBIT 2019 aligned most closely with the European Union AI Act. Nonetheless, our findings suggested that all evaluated frameworks would benefit from enhancements to more effectively and more comprehensively address the multifaceted risks associated with LLMs, indicating a critical and time-sensitive need for their continuous evolution. We propose integrating human-expert-in-the-loop validation processes as crucial for enhancing cybersecurity frameworks to support secure and compliant LLM integration, and discuss implications for the continuous evolution of cybersecurity GRC frameworks to support the secure integration of LLMs.
  • Thumbnail Image
    Item
    From Google Gemini to OpenAI Q* (Q-Star): A Survey on Reshaping the Generative Artificial Intelligence (AI) Research Landscape
    (MDPI (Basel, Switzerland), 2025-02-01) McIntosh TR; Susnjak T; Liu T; Watters P; Xu D; Liu D; Halgamuge MN; Mladenov V
    This comprehensive survey explored the evolving landscape of generative Artificial Intelligence (AI), with a specific focus on the recent technological breakthroughs and the gathering advancements toward possible Artificial General Intelligence (AGI). It critically examined the current state and future trajectory of generative AI, exploring how innovations in developing actionable and multimodal AI agents with the ability scale their “thinking” in solving complex reasoning tasks are reshaping research priorities and applications across various domains, while the survey also offers an impact analysis on the generative AI research taxonomy. This work has assessed the computational challenges, scalability, and real-world implications of these technologies while highlighting their potential in driving significant progress in fields like healthcare, finance, and education. Our study also addressed the emerging academic challenges posed by the proliferation of both AI-themed and AI-generated preprints, examining their impact on the peer-review process and scholarly communication. The study highlighted the importance of incorporating ethical and human-centric methods in AI development, ensuring alignment with societal norms and welfare, and outlined a strategy for future AI research that focuses on a balanced and conscientious use of generative AI as its capabilities continue to scale.
  • Thumbnail Image
    Item
    Harnessing GPT-4 for generation of cybersecurity GRC policies: A focus on ransomware attack mitigation
    (Elsevier B.V., 2023-11-01) McIntosh T; Liu T; Susnjak T; Alavizadeh H; Ng A; Nowrozy R; Watters P
    This study investigated the potential of Generative Pre-trained Transformers (GPTs), a state-of-the-art large language model, in generating cybersecurity policies to deter and mitigate ransomware attacks that perform data exfiltration. We compared the effectiveness, efficiency, completeness, and ethical compliance of GPT-generated Governance, Risk and Compliance (GRC) policies, with those from established security vendors and government cybersecurity agencies, using game theory, cost-benefit analysis, coverage ratio, and multi-objective optimization. Our findings demonstrated that GPT-generated policies could outperform human-generated policies in certain contexts, particularly when provided with tailored input prompts. To address the limitations of our study, we conducted our analysis with thorough human moderation, tailored input prompts, and the inclusion of legal and ethical experts. Based on these results, we made recommendations for corporates considering the incorporation of GPT in their GRC policy making.
  • Thumbnail Image
    Item
    Masquerade Attacks Against Security Software Exclusion Lists
    (AJIIPS, 2019) McIntosh T; Jang-Jaccard J; Watters P; Susnjak T
    Security software, commonly known as Antivirus, has evolved from simple virus scanners to become multi-functional security suites. To combat ever-growing malware threats, modern security software utilizes both static and dynamic analysis to assess malware threats, inevitably leading to occasional false positive and false negative reports. To mitigate this, existing state-of-the-art security software offers the feature of Exclusion Lists to allow users to exclude specified files and folders from being scanned or monitored. Through rigorous evaluation, however, we found that some of such products stored their Exclusion Lists as unencrypted cleartexts either in known or predictable locations. In this paper we empirically demonstrate how easy it is to exploit the Exclusion Lists by launching masquerade attacks. We argue that the Exclusion Lists should be better implemented such as using application whitelisting, the contents of the lists to be better safeguarded, and only be readable by authorized entities within a strong access control scheme.
  • Thumbnail Image
    Item
    Ransomware Reloaded: Re-examining Its Trend, Research and Mitigation in the Era of Data Exfiltration
    (Association for Computing Machinery New York, NY, United States, 2024-10-07) McIntosh T; Susnjak T; Liu T; Xu D; Watters P; Liu D; Hao Y; Ng A; Halgamuge M; Atienza D; Milano M
    Ransomware has grown to be a dominant cybersecurity threat by exfiltrating, encrypting, or destroying valuable user data and causing numerous disruptions to victims. The severity of the ransomware endemic has generated research interest from both the academia and the industry. However, many studies held stereotypical assumptions about ransomware, used unverified, outdated, and limited self-collected ransomware samples, and did not consider government strategies, industry guidelines, or cyber intelligence. We observed that ransomware no longer exists simply as an executable file or limits to encrypting files (data loss); data exfiltration (data breach) is the new norm, espionage is an emerging theme, and the industry is shifting focus from technical advancements to cyber governance and resilience. We created a ransomware innovation adoption curve, critically evaluated 212 academic studies published during 2020 and 2023, and cross-verified them against various government strategies, industry reports, and cyber intelligence on ransomware. We concluded that many studies were becoming irrelevant to the contemporary ransomware reality and called for the redirection of ransomware research to align with the continuous ransomware evolution in the industry. We proposed to address data exfiltration as priority over data encryption, to consider ransomware in a business-practical manner, and recommended research collaboration with the industry.
  • Thumbnail Image
    Item
    Using data-driven and process mining techniques for identifying and characterizing problem gamblers in New Zealand
    (RTU Press, 2016-12) Suriadi S; Susnjak T; Ponder-Sutton A; Watters P; Schumacher CR